Security Incidents mailing list archives
RE: Anyone else seeing SSH scans?
From: "Andrew Kopp ( Tor ZEW )" <andrew.kopp () kuehne-nagel com>
Date: Wed, 28 Jul 2004 08:33:01 -0400
I have seen an significant increase of scans on our ssh ports... But none of them seem to be related to any on this list. The attacker is trying different accounts such as root or admin. They seem to try two passwords with the admin account and three passwords with the root account. If they are unable to obtain access they move on to the next host. It seems to be scripted as each host has the same log except for the timestamp.) All scans have originated from one source. Below is an example from one of my servers: Jul 26 01:55:50 www1 sshd[32674]: Failed password for admin from 128.175.230.71 port 41402 ssh2 Jul 26 01:55:51 www1 sshd[32680]: Failed password for admin from 128.175.230.71 port 41443 ssh2 Jul 26 01:55:52 www1 sshd[32691]: Failed password for root from 128.175.230.71 port 41493 ssh2 Jul 26 01:55:53 www1 sshd[32697]: Failed password for root from 128.175.230.71 port 41518 ssh2 Jul 26 01:55:53 www1 sshd[32703]: Failed password for root from 128.175.230.71 port 41562 ssh2 But since the first attack they have stopped... Mind you they managed to scan my entire class C. To be honest, because they are looking for root logins, I am assuming they are just scanning for badly configured hosts. (could possibly be using default configurations for some systems such as routers or firewalls) Regards, Andrew Kopp Kuehne + Nagel andrew.kopp () kuehne-nagel com Tel: (905) 696-2135 Fax: (905) 670-8942 -----Original Message----- From: incidents-return-7833-andrew.kopp=kuehne-nagel.com () securityfocus com [mailto:incidents-return-7833-andrew.kopp=kuehne-nagel.com@securityfocus .com]On Behalf Of Matthew Dharm Sent: Tuesday, July 27, 2004 1:00 PM To: incidents () securityfocus com Subject: Anyone else seeing SSH scans? I've noticed that several *NIX machines I have running (all of which are located in the same IP block) are periodically getting scanned via ssh for the accounts 'test' and 'guest'. The source IP varies with each scan. But I'm getting about one of these a day now. Obviously, I don't have accounts with that name on my systems, but still.... Is this something new, or just people looking for badly configured machines? Matt -- Matthew Dharm Home: mdharm () one-eyed-alien net Senior Software Designer, Momentum Computer P: Nine more messages in admin.policy. M: I know, I'm typing as fast as I can! -- Pitr and Mike User Friendly, 11/27/97
Current thread:
- Anyone else seeing SSH scans? Matthew Dharm (Jul 27)
- Re: Anyone else seeing SSH scans? Charles Heselton (Jul 28)
- Re: Anyone else seeing SSH scans? Ed J. Aivazian (Jul 28)
- Re: Anyone else seeing SSH scans? Seth J. Blank (Jul 28)
- Re: Anyone else seeing SSH scans? Jon Lewis (Jul 29)
- <Possible follow-ups>
- Re: Anyone else seeing SSH scans? sk (Jul 28)
- Re: Anyone else seeing SSH scans? Hossein Rafighi (Jul 29)
- RE: Anyone else seeing SSH scans? Andrew Kopp ( Tor ZEW ) (Jul 28)
- RE: Anyone else seeing SSH scans? R Michael Williams (Jul 29)
- RE: Anyone else seeing SSH scans? Ian Hayes (Jul 29)
- RE: Anyone else seeing SSH scans? GUSAIN, SUBODH (Jul 29)